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AUTHENTICATION FOR CLIENT-SERVER SYSTEMS 

RAnK^ROi INn OF THF INVPNTION 

1 . Field of the Invention. 

The present invention relates in general to client- server systems and in 
particular to a system and method for providing positional authentication for 
client-server systems. 



2. Related Art. 

Computer networks are common and vitally important in many diverse 
applications including business, universities and government. In general, a 
computer network is two or more computers (or associated devices) that are 
connected by communication facilities. A computer network generally includes a 
server, which is a computer that provides shared resources to users of the network, 
and a client, which is a computer that accesses the shared network resources 
provided by the server using the communication facilities. This type of system is 
commonly referred to as a client-server system. 

There are several popular client-server systems that are used in current 
networking environments. Some examples include intranet networking 
environments and the Internet. An intranet is usually a private local area network 
(LAN) environment. Intranets are very popular with both small and large 
companies and are becoming popular with home networking environments. The 
Internet is a public wide-area network (WAN) environment. One of the fastest 
growing aspects of the Internet is the World Wide Web (WWW). This is because 
the WWW allows the dissemination of mass media to large amount of people. 
Both intranets and the Intemet enable remote clients to request and receive data 
located on a server. 

Another type of server-client system is an extranet. An extranet is an 
intranet that is partially accessible to authorized outsiders. However, extranets are 
generally set up on the Internet. Hence, an extranet networking environment, with 
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relation to access, falls somewhere between an intranet network and the Internet. 
This is because the Internet allows public data access, while intranets usually 
reside behind firewalls and typically are local and only allow data access to specific 
groups or members of the same company or organization. In contrast, an extranet 
can operate in a LAN or WAN environment and can provide various levels of 
accessibility to any person. For example, many extranets allow data access if a 
person has a valid username and password, and the person's identity determines 
which parts of the extranet that person can view. As such, extranets are becoming 
very popular for allowing business partners and customers to exchange and access 
information located on a server system. However, when the Intemet is used as a 
basis for an extranet, such as World Wide Web pages acting as software 
distribution points with virtual private networking (VPN) technologies, security can 
be compromised if location is an important access constraint. 

Further, real-time positional systems access coordinate position data from 
various sources, such as local transmitters or satellites, and are becoming more 
and more popular. These systems include GPS (Global Position Satellites), MLS 
(Microwave Landing Systems), GSM (Global System Mobile), GIS (Geographical 
Information Systems) and CPS (Cambridge Positioning Systems) and have been 
recently incorporated into personal computers, electronic mobile devices and 
automobiles. However, limited uses are available for these positioning 
technologies. For instance, these systems are used to primarily support mobile 
mapping applications for recreational uses, such as driving directions, camping and 
hiking. 

As such, there are limited applications available that combine both the 
versatility of computing devices with the capabilities of real-time positioning 
systems. Namely, current systems lack the power to provide a server system with 
secure protection from an unauthorized client user based on the location of the 
client user. In one example, access by client users, such as client-server 
extranets, to a particular server system is the same in all areas where the actual 
access is granted to the client users, even if the access is not intended for a certain 
area. 
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Therefore, what is needed is a system and nnethod for providing access to 
client-server extranets based on positional data. What is further needed is a 
system and method that that automatically and dynamically locates position, 
matches data to position and automatically relays modified data to the client 
5 machine for authenticating and controlling access rights to an extranet 

connected to the client machine. What is also needed is a system and method 
that automatically prevents unauthorized access to the extranet based on 
locations where access is not allowed on the client machine. 

10 SI IMMARY OF THF INVFMTinN 

To overcome the limitations in the prior art described above, and to 
overcome other limitations that will become apparent upon reading and 
understanding the present specification, the present invention is embodied in a 

Q 

^,0 system and method for providing positional authentication for client- server 

" ' 15 systems, such as extranets. In general, an authentication system of the present 
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in invention controls and authenticates access rights to a host server from a client 

In 

^ machine that desires access to the host server via a network connection, such 

as an extranet connection. 
O Specifically, the present invention includes a client machine coupled to a 

ry 20 host server, via any suitable connection, such as an extranet, and a wireless 
[Jf positioning system, such as a global positioning satellite (GPS). The client 

machine can be any suitable client computer machine, such as a desktop 
computer, portable notebook computer or the like. The client machine includes 
a positioning receiver and a positional relation module. The host server 
25 includes an authentication module with predefined access parameters for 
standard and positional authentication. A portion of the predefined access 
parameters is used to associate specific locations of the client machine with 
access rights for positional authentication. 

Before or during the start-up or the login process of the client machine to 
30 the host server, the positioning receiver receives positional data from the 

wireless positioning system indicating the client machine's position. When the 
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client machine requests access to the host server, the machine's positional data 
is transmitted to the host server. Next, the authentication module performs 
standard authentication and then additionally performs positional authentication 
to determine whether access should be granted or denied, or requires a special 
password. The positional authentication is based on the predefined access 
parameters. This can be accomplished since the client machine is 
automatically and dynamically located by the positioning receiver. 

This configuration can automatically prevent unauthorized access where 
access is not allowed or can regulate different levels of access to the host 
server based on different locations. Software running on the host server can be 
preprogrammed with access parameters that define the access rights of client 
machines located throughout the world. Therefore, access rights to the host 
server can be automatically provided, limited or denied, depending on the 
predefined access parameters and the location of the client machine at the time 
access is requested. 

The present invention as well as a more complete understanding thereof 
will be made apparent from a study of the following detailed description of the 
invention in connection with the accompanying drawings and appended claims. 



Referring now to the drawings in which like reference numbers represent 
corresponding parts throughout: 

FIG. 1 is a general block diagram showing an overview of the present 
invention. 

FIG. 2 is a block diagram illustrating the components of the present 
invention. 

FIG. 3 is a flow chart illustrating operational details of the present invention. 



BRIFF PFSCRIPTinN OF THF DRAWIMnS 



DFTAII Fn nFSHRIPTinN OF THF INVFNTinN 

In the following description of the invention, reference is made to the 
accompanying drawings, which form a part hereof, and in which is shown by way of 
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illustration a specific example in which the invention may be practiced. It is to be 
understood that other embodiments may be utilized and structural changes may be 
made without departing from the scope of the present invention. 



FIG. 1 is a general block diagram showing an overview of the present 
invention. The system 100 includes a user 102 that uses a remote client 104 that is 
connected to a host server 106 via any suitable connection 108. The connection 
108 between the remote client 104 and the host server 106 forms a networking 
environment or extranet that preferably operates in a LAN or WAN environment 
and can provide various levels of accessibility. Access from the remote client 104 
to the host server 106 includes two layers of authentication, standard authentication 
(any suitable standard authentication method can be used, including typical 
methods that require logins with encrypted and secret usernames and passwords) 
and positional authentication, which will be discussed in detail below. 

The system 100 also includes a positioning system 110 that includes at least 
one transmitter 112, such as a positioning satellite. The positioning system 110 
can be any suitable positional access system, such as satellite, microwave, 
infrared, or radio based, which provides positional access with any suitable method, 
for example triangulation. The number of transmitters 1 12 in the transmitter system 
1 10 can be determined based on the number required to obtain a clear view for 
triangulation. The mobile device 104 has a special a receiver that is capable of 
receiving a signal from the positioning system 110. 

Most types of positional access systems pinpoint location through 
triangulation. With triangulation, a receiver gathers information from several 
transmission sources. One type of triangulation is three dimensional (3D) 
triangulation, which provides latitudinal, longitudinal and elevational coordinates to 
the receiver. As such, 3D triangulation requires plural transmitters and a 
predefined coordinate system. For instance, GPS systems typically use 12 satellite 
transmitters. In the GPS system, a clear view is usually required to allow a receiver 
to receive a signal from four or more transmitters so that the coordinates of the 
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receiver can be located. Once the coordinates are determined, the specific location 
can be shown as coordinates or illustrated on an associated electronic map that 
relates to the actual coordinates. 

FIG. 2 is a block diagram illustrating the components of the present 
5 invention. Referring to FIG. 2 along with FIG. 1, the remote client 104 can be 
any suitable client machine computer, such as a desktop or notebook computer 
or similar smaller device. The remote client 104 accepts user input from a user 
102 and can be interconnected to the host server 106 through any suitable 
network connection 108, such as the Internet. As discussed above, the 
10 connection 108 between the remote client 104 and the host server 106 forms a 
networking environment or extranet 210. The extranet 210 can use any suitable 
technology, such as virtual private networking (VPN) technologies. 

The remote client 104 includes a receiver module 212 or positional 
access module that is configured to receive data from the transmitter system 

f ft 

ll 15 110. The remote client 104 also includes a positional relation module 214 that 
in receives the data and translates the data into positional data for accurately 

in 

,p locating the position of the client machine 104. The positional relation module 

^ 214 can be a software application running on the remote client 104 that 

O translates the data into latitudinal, longitudinal and elevational coordinates or 

fy 20 map locations such as street addresses or city locations. 

The host server 106 includes an authentication module 216 that is 
configured to receive data from the remote client 104 and process this data with 
a position collector 218, a standard authenticator 220 and a positional 
authenticator 222. The authentication module 216 controls and authenticates 
25 access rights to the host server 106 based on predefined access parameters 
set by operators or network administrators of the host server 106. A portion of 
the predefined access parameters is used to associate specific locations of the 
remote client 104 with access rights for positional authentication. 
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FIG. 3 is a flow chart illustrating operational details of the present invention. 
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Referring to FIGS. 1-2 along with FIG. 3, first, before or during the start-up or the 
login process of the remote client 104 to the host server 106, the receiver 
module 212 receives positional data from the wireless positioning system 
indicating the remote client's position (step 310). The receiver module 212 
receives data from the transmitter system 110 and the relation module 
determines its location based on coordinates received, for example through 
triangulation. As such, specific positional location data of the remote client 104 
is determined, namely, latitudinal, longitudinal and elevational coordinates. The 
specific positional data can also be provided to the user 102 of the remote client 
104 for raw positional data use. 

Second, the remote client 104 requests a connection or access to the 
host server 106 (step 312). Third, remote client user login to the host server 
106 via the extranet 210 is initiated (step 314). Fourth, the authentication 
module 216 of the host server 106 is initiated (step 316). Fifth, the host server 
106 performs standard authentication of the remote client (step 318). Any 
suitable standard authentication method can be used, including typical methods 
that require logins with encrypted and secret usernames and passwords or 
methods that user IP addresses and passwords. Sixth, if the remote client 104 is 
authenticated, the remote client's positional data is transmitted to the host 
server 106 (step 320). 

Next, the host server 106 performs positional authentication to determine 
whether access should be granted or denied, and if granted, what level of 
access is allowed and whether an additional or special password is required. 
The authentication module 216 checks the position of the remote client 104 to 
see what type or level of access is to be allowed based on the predefined 
access parameters. Namely, this is accomplished by first gathering predefined 
positional access parameters (step 322) and then analyzing the position of 
remote client 104 and associating it with the predefined access parameters to 
provide, limit or restrict access to the host server 106 (step 324). This 
authentication is possible since the positioning receiver automatically locates 
the remote client. 
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This extranet configuration 210 can automatically prevent unauthorized 
access where access is not allowed or can regulate different levels of access to 
the host server 106 based on where the remote client 104 is located. Software 
running on the host server 106 can be preprogrammed with the access 
parameters that define the access rights of remote clients 104 based on 
standard authentication and positional location for providing and restricting 
access throughout the world. Therefore, access rights to the host server 106 
can be automatically provided, limited or denied, depending on the predefined 
access parameters and the location of the remote client 104 at the time access to 
the host server 106 is requested. 

Basically, the administrator of the host server 106 can define which locations 
are allowed access and what type or level of access, if any. For instance, an 
administrator of a host server that contains sensitive and secure data for numerous 
users located throughout a country, such as the Social Security Office, can restrict 
access by location with the present invention. This would enable the host server to 
allow access based on the actual residence of the remote client and relate it to the 
records on file with the Social Security Office, which adds an additional layer of 
security to prevent unauthorized access by unscrupulous thieves trying to gain 
access to someone's social security information. 

Also, as another example, when the Internet is used as the basis for an 
extranet, such as World Wide Web pages acting as software distribution points 
with VPN technologies, security can be compromised if location is an important 
access constraint. In one example, if a World Wide Web page provides software 
that uses source code containing controlled encryption technology, the 
administrator of the host server would be required to take active steps to prevent 
use of the controlled encryption technology outside of the non-export areas. With 
the present invention, unauthorized use and access to the software based on 
location could be controlled. In addition, software licensing can be controlled by 
having the authentication data include the normal read, write, execute, create, 
delete commands, with the positional data used in determining the values of each 



8 



IBM Docket NOMB9-2000-0835-US1 



Patent Application 



method in accordance with the present invention. 

The foregoing description of the invention has been presented for the 
purposes of illustration and description. It is not intended to be exhaustive or to 
limit the invention to the precise form disclosed. Many modifications and 
variations are possible in light of the above teaching. It is intended that the 
scope of the invention be limited not by this detailed description, but rather by 
the claims appended hereto. 
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